A Blockchain Currency That Beats Bitcoin On Privacy – IEEE Spectrum

In October, I was in a van in Denver with Zooko Wilcox,the CEO of Zcash, a company that was soon to launch a new blockchain-based digital currency of the same name. On the floor next to me was a bunch of recently purchased computer equipment. I knew we were going to a hotel but didn’t know which one. I only knew that I’d be there for the next two days straight and that it would be my job to watch, ask questions, stave off sleep, and document as much as I possibly could.

That day began a cryptographic ceremony of sorts, one that could make or break a new digital currency. Zcash is identical to Bitcoin in many ways. It’s founded on a digital ledger of transactions called a blockchain that exists on an army of computers that can be anywhere in the world. But it differs from Bitcoin in one critical way: It is completely anonymous. Although privacy was a motivating factor for ­Bitcoin’s flock of early adopters, it didn’t deliver the goods. For those who want to digitally replicate the experience of slipping on a ski mask and handing over an envelope of unmarked bills, Zcash is now the way to go.

The problem with Bitcoin today is that the entire history is public. If users are not extremely careful, network analysis can reveal the real identities of the people behind the accounts

To deliver on this anonymity, however, the Zcash protocol requires an initial dose of randomness, a set of parameters that functions as a reference point for the rest of the software. But the process comes with an unfortunate by-product. The software that generates the parameters also creates pieces of a cryptographic key, which if combined could be used to generate new coins out of thin air. The ceremony I was being carted off to was serving as a public demonstration that the cryptographic fragments were being created and disposed of in such a way that the complete key would never come into existence.

But why make a currency that faces its first existential threat at the very moment of its creation? Because for the subset of people who like their currency digital and free from government control, anonymity really matters.

“Zcash is really exciting because it’s the first combination of the blockchain properties with the encryption properties,” says Wilcox. This layer of encryption means that with Zcash, transactions will leave no trace on the blockchain of who spent a coin or in what digital pocket it landed. All that will be visible is that a transaction occurred.

Bitcoin, the first and most widely used digital currency, established the blockchain as a revolutionary technology. Blockchains provide a way for disparate, mistrustful parties to jointly maintain a public ledger of transactions and to do so in a way that renders all entries permanent.

The problem with Bitcoin as it is implemented today is that the entire history is public. Transactions are attributed to random identifiers that in themselves carry no information about the person controlling the accounts. But if users are not extremely careful, network analysis can reveal both the financial behavior and the real identities of the people behind the accounts. (Several companies, such as Chainalysis, now provide such a service.)

Zcash also has a blockchain that records and publicly broadcasts every transaction ever made with it. But it hides all identifying information about who made the transactions and how much was spent.

“Zcash solves this privacy problem by encrypting each transaction. We use standard, modern, high-tech ­encryption, which is the same kind of encryption that is used to protect websites and emails and everything on the Internet,” says Wilcox.

This, however, creates a new problem. In Bitcoin, having all the details of transactions available without encryption enables miners—the people running the software that updates and secures the blockchain—to validate new spending requests by referencing previous transactions in the record. When those data are hidden from view, validation becomes more complex and requires a special kind of computation called a zero-knowledge proof. That computation enables users to prove that they own the coins they want to spend without revealing any information about where the coins came from or where they are going. Such proofs are used in many other contexts around the Internet. For instance, zero-knowledge proofs allow you to type in a password on a website and have it verified by the site’s server without actually transmitting the password.

The broad strokes for Zcash were designed in 2013 at a Johns Hopkins University applied cryptography lab led by Matthew Green. The currency system was later enhanced by Eli Ben-Sasson, a computer scientist at the ­Technion, and a group of researchers at MIT and Tel Aviv University. They developed a new zero-knowledge proof, called a zk-SNARK, that is much less computationally intensive and thus crucial for scaling the currency.

Now Zcash is in the hands of Wilcox. Privacy is an issue that is near to his heart. As a teenager, he delayed going to college to work with cryptographer David Chaum on DigiCash, an early implementation of a privacy-centric digital cash. When that project crashed in the 1990s, ­Wilcox continued the crusade.

Enhancing financial privacy will likely enhance the ability of criminals to go about their business undetected, and that’s a legitimate fear. Bitcoin itself found its first—and arguably thus far only—killer app when sellers and buyers realized that they could use it for illegal purchases in “dark Web” markets.

But Wilcox, who regards privacy as a right, argues that there are important, legitimate reasons why someone would want to use an anonymous currency.

“There are regulatory and commercial and moral reasons for privacy from all sectors,” he says. To give a commercial example: Apple wouldn’t want Samsung to be able to track its transactions and gain valuable competitive intelligence.

Or the motivating factor could be regulatory compliance. Multiple laws in the United States and the United Kingdom, such as the data-­privacy rules of the Health Insurance Portability and Accountability Act of 1996, require companies to keep consumer information hidden from view, a feature Zcash can reliably offer.

There are also strictly technical considerations that make strong privacy a necessary feature in a digital currency. Ideally, for the system to function, coins should be fungible, which is to say that each coin should be indistinguishable from the next. When a coin carries the history, and potentially the smear, of every past transaction—as bitcoins do—this can be difficult to achieve.

“The laws of economics are almost as immutable as the laws of physics. And good money means that every unit of that money is the same as any other unit of that money. The only way to have that be the case for digital currencies is to have it be private,” says Roger Ver, a Zcash investor who considers fungibility a central concern.

But perhaps the most intriguing feature of Zcash is that users can toggle the level of privacy it provides. Although the Zcash protocol encrypts all information about transactions by default, people can selectively disclose this data, and they have control over what parts get revealed as well as who gets to see them.

Let’s say I’m in college and my parents are funding my studies. They could send me Zcash, and then I could lift the veil on all the transactions I make with that money in a way that only they could see.

Adam Back, a cryptographer who has himself endeavored to strengthen Bitcoin’s privacy guarantees with a scheme called Confidential Transactions, says that Zcash is able to offer this degree of flexibility because, unlike Bitcoin, it starts with the strongest privacy-guarantee tools available.

“It’s very hard to build something stronger on something that’s weak,” he says. “If you start with a perfect electronic cash system building block, then you can build an electronic cash system with selective weakening in a way that makes sense for society.”

But cryptographers like Back do have reservations. There is, of course, the problem of requiring that one moment of infallibility on the part of human beings—the destruction of the key fragments—to guarantee its security.

Also, the zk-SNARK computations that validate transactions are quite exotic, at least compared with the well-worn standards used in Bitcoin. “The number of people who understand and have read the math and could develop an attack would be very small, maybe a dozen researchers worldwide. And so you run the risk that maybe not enough people have looked at it to have the insight of what’s wrong with it,” says Back.

The Zcash company, which developed the open-source software, is itself a bit of an experiment. It has a direct stake in the coins that are generated by the Zcash protocol. As with Bitcoin, miners periodically create new coins. But with Zcash, the miners get to keep only 90 percent of those coins. The rest gets dumped into accounts controlled by the Zcash company, which has stated that it will divvy up these earnings among founders, private investors, and a nonprofit foundation responsible for working on future versions of the protocol. But it is up to the company to transparently report on where that money flows.

One of the biggest unknowns is whether enough people care deeply enough about privacy to bring Zcash into the mainstream. When DigiCash declared bankruptcy in 1998, the failure was attributed partially to a lack of interest in financial privacy on the part of the everyday consumer. Buoyed by unsolicited encouragement both online and in person, Wilcox is confident that it will be different this time around.

Virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to consumer protections. The information does not constitute investment advice or an offer to invest.